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DETAILED ACTION 

1 . Claims 1-30 remain for examination. 



Response to Arguments 

2. Applicant's arguments filed 2/1 1/09 have been fully considered but they are not 
persuasive. Applicant argues, 

Guo et al. and Soto et al. do not disclose, suggest, or teach every element claimed in 
independent claim 1. For instance, those references do not disclose or suggest at least, 
"establishing a login account with login information at the client machine in response to 
the request." Conceding that Guo et al. fails to disclose that element, the Examiner cites 
Soto et al.'s paragraphs [0046] - [0055] as allegedly disclosing that the client establishing 
a login account in response to the request for access from the user machine to the client 
machine. Applicant respectfully disagrees. Soto et al. describes that when the engineer at 
its intranet tries to access an SPOP node at the customer's intranet, the remote access 
server at the engineer's intranet creates a username and one-time passcode (See 
paragraph [0049] of Soto et al.). Paragraph [0051] describe that the remote access 
server at the engineer's intranet sends the username and the one-time password that it 
created to the SPOP node. Clearly, Soto et al. does not disclose or suggest that the SP 
node that the engineer is requesting access to creates a username and passcode. On 
the other hand, claim 1 claims "communicating a request for access from the user 
machine to the client machine; establishing a login account with login information at the 
client machine in response to the request." 

Examiner disagrees, having discovered upon further consideration that the claim 
language is broader than is argued by the Applicant. The disputed claim limitation 
requires that the account be "established at" the client machine; this is not necessarily 
limited to having been "created by" the client machine. As is seen in Soto, paragraphs 
0051 and 0052, the remote access server sends the dynamically created username and 
password to the SPOP (Soto's client machine) which also performs a verification step to 
ensure that the account information is valid. A successful validation implies that the 
account has been established at the SPOP, and may be used by the user to 
subsequently log in to the machine (paragraph 0056); and this is all that is required by 
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the claim language. Furthermore, even assuming arguendo that the claims recited 
"creating" rather than the broader "establishing", it could still be argued the steps 
disclosed in paragraphs 0051 and 0052 are still a creation step, as Soto clearly treats 
that each individual machine that has a copy of the login information counts as a 
separate account - observe that the temporary account can be deleted from the content 
server (paragraph 0053), yet still be used to log in to both the remote server (paragraph 
0055) and the client machine (SPOP: paragraph 0056). Thus one of ordinary skill in the 
art would recognize that each machine in the Soto disclosure is creating a local account 
with the same temporary login information. Regardless, the fact that the temporary 
account disclosed by Soto is established/created on the client machine at the behest of 
another server in the prior art system - rather than being created directly by and on the 
client machine by a locally-running script for example (specification, page 3, paragraph 
0014) - does not invalidate the rejection, as the features alluded to by Applicant's 
narrow interpretation of the claims are not actually recited therein. Although the claims 
are interpreted in light of the specification, limitations from the specification are not read 
into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed.Cir.1993). 

Claim Rejections - 35 USC § 103 

3. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 
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4. Claims 1-30 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Guo (U.S. Patent Application Publication 2003/0217288) in view of Soto etal. (U.S. 
Patent Application Publication 2003/0208695). 

Regarding claims 1, 10-12, 20, and 21: 

Guo discloses a method/system/program for authenticating a user's access to a 
client machine, comprising: communicating a request for access from the user machine 
to the client machine (paragraph 0045; element 32 of Figure 3); establishing a login 
account with login information (paragraph 0032); encrypting the login information at the 
client machine and communicating the encrypted login information to the user machine 
(paragraph 0047); communicating the encrypted login information and authentication 
information associated with the user from the user machine to an authentication server 
(Ibid, and element 50 of Figure 3), the encrypted login information and authentication 
information associated with the user being in an encrypted format that cannot be 
accessed by the user machine when the user machine communicated the encrypted 
login information and authentication information (the ticket being encrypted by a session 
key that only the servers and not the user machine have access to: paragraphs 0038, 
0048, and 0049); and decrypting the encrypted login information at the authentication 
server and communicating the decrypted login information to the user machine if the 
authentication information is acceptable to the authentication server (paragraphs 0039- 
0040, and 0049- 0050), no direct connection being needed between the client machine 
and the authentication server to authenticate the user's access to the client machine 
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(communication between servers is done by the user machine via HTTP redirects: 
paragraphs 0046-0049). For the sake of clarity, it is noted that the "client machine" of 
Guo corresponds to the user machine of the claim, and the affiliate server(s) of Guo 
correspond to the "client machine" of the claim. 

Guo does not explicitly disclose wherein the step of establishing the login 
account at the client machine happens in response to the request for access. However, 
Soto discloses this limitation (paragraphs 0046-0056, but particularly 0049-0052). It 
would have been obvious to one of ordinary skill in the art at the time the invention was 
made to modify Guo to allow for a temporary account to be created for use on a client 
machine (such as used by a technician or engineer) and securely communicate such 
information to the user machine, as disclosed by Soto. The motivation for doing so 
would be to expedite the process of allowing users to login to a machine for service and 
maintenance without waiting for days for a new account and without compromising 
security (Soto, paragraph 0004). 

It is noted that the login information (including but not limited to usernames and 
passwords) is known and would be encrypted at its source(s) and subsequently 
decrypted at its destination(s), as those of ordinary skill in the art would have long since 
known that sending said login information over a network in an unencrypted fashion was 
a serious security risk which could otherwise defeat the security afforded by the prior art 
inventions (see the previously cited "Eliminating Plaintext Passwords on Your Network" 
reference). Also note that Guo discloses using SSL - a known solution to the 
aforementioned problem clearly within the technical grasp of one of ordinary skill in the 
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art - in that invention (paragraph 0039). Accordingly, if using SSL to encrypt and 
decrypt the login information would lead to the anticipated success, it is likely the 
product not of innovation but of ordinary skill and common sense. KSR v. Teleflex, 550 
U.S. at , 82 USPQ2d at 1397. 

Regarding claims 2, 13, and 22: 

Guo and Soto disclose all the limitations of claims 1,12, and 21 above. Guo 
further discloses communicating an identifier associated with the user from the user 
machine to the client machine (paragraph 0038); encrypting the identifier at the client 
machine and communicating the encrypted identifier to the user machine (paragraph 
0047); communicating the encrypted identifier from the user machine to the 
authentication server (Ibid, and element 50 of Figure 3); decrypting the encrypted 
identifier at the authentication server (paragraphs 0039-0040); wherein the decrypted 
login information is communicated to the user machine if the decrypted identifier is 
acceptable to the authentication server (Ibid, and paragraphs 0049-0050). 

Regarding claims 3, 14, and 23: 

Guo and Soto disclose all the limitations of claims 1,12, and 21 above. Guo 
further discloses encrypting the identifier at the client machine and communicating the 
encrypted identifier to the user machine (paragraph 0047); communicating the 
encrypted identifier from the user machine to the authentication server (Ibid, and 
element 50 of Figure 3); decrypting the encrypted identifier at the authentication server 
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(paragraphs 0039-0040); wherein the decrypted login information is communicated to 
the user machine if the decrypted identifier is acceptable to the authentication server 
(paragraphs 0049-0050). 

Regarding claims 4, 15, 24, and 28-30: 

Guo and Soto disclose all the limitations of claims 1,12, and 21 above. Guo 
further discloses communicating the login information from the user machine to the 
client machine to enable the user to access the client machine (paragraph 0049; 
element 60 of Figure 3). As claims 28-30 consist of all the limitations of claim 4, they 
are rejected by the same rationale. 

Regarding claims 5, 16, and 25: 

Guo and Soto disclose all the limitations of claims 1,12, and 21 above. Guo 
further discloses wherein the login information comprises at least one of a name and a 
password (paragraph 0032). 

Regarding claims 6, 17, and 26: 

Guo and Soto disclose all the limitations of claims 1,12, and 21 above. Guo 
further discloses wherein the login information is encrypted at the client machine using a 
public key of a public key-private key pair (paragraph 0040); and the encrypted login 
information is decrypted at the authentication server using the private key of the public 
key-private key pair (Ibid). 
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Regarding claims 7, 18, and 27: 

Guo and Soto disclose all the limitations of claims 1,12, and 21 above. Guo 
further discloses wherein the authentication identifier comprises an identifier associated 
with the user (paragraph 0032). 

Regarding claims 8 and 19: 

Guo and Soto disclose all the limitations of claims 1 and 12 above. Guo further 
discloses wherein the encrypted login information is inaccessible to the user machine 
(paragraph 0051 ). 

Regarding claim 9: 

Guo and Soto disclose all the limitations of claim 1 above. Guo further discloses 
wherein the request for access is communicated from the user machine to the client 
machine, and the encrypted login information is communicated from the client machine 
to the user machine via a Secure Sockets Layer connection (paragraphs 0039 & 0055). 

Conclusion 

5. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
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mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Thomas Gyorfi whose telephone number is (571)272- 
3849. The examiner can normally be reached on 8:30am - 5:00pm Monday - Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

supervisor, Kim Vu can be reached on (571 ) 272-3859. The fax phone number for the 

organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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